CVE-2004-2451

Vulnerability

Roger Wilco 1.4.1.6 and earlier, as well as Roger Wilco Base Station 0.30a or earlier, lacks proper input validation on audio stream metadata. An attacker can craft a network packet specifying an arbitrary channel identifier, causing the server to route the audio to a channel the attacker should not have access to. This is known as the "Voices from the deep" bug [1].

Exploitation

The attacker does not need an authenticated session on the target server. They must be able to send network packets to the Roger Wilco server on the UDP port used for audio streaming (typically 3783). By forging the channel identifier field in the audio packet, the attacker can make the server deliver the audio stream to any channel of their choosing [1]. No prior user interaction or elevated privileges are required beyond network access to the server.

Impact

A remote, unauthenticated attacker can inject audio into arbitrary voice channels, causing false or disruptive messages to be heard by legitimate users in those channels. This constitutes a violation of integrity and availability, as the attacker can impersonate trusted users or flood channels with unwanted audio. The exact scope of compromise depends on the server's channel configuration, but no file read or code execution is described in the references.

Mitigation

No official patch has been released for this vulnerability. The affected software – Roger Wilco 1.4.1.6 and earlier, and Base Station 0.30a and earlier – appears to be end-of-life and no longer supported by the vendor [1]. As of the publication date (2004-12-31), no workaround is documented. Operators of legacy installations should consider isolating the application or migrating to a supported alternative.